plan does not find old named locations, tries to deploy /identity/conditionalAccess/namedLocations/xxxxxxxxxxx

[mirone85]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

3.0.0 and 3.0.1

Affected Resource(s)

• azuread_named_location azuread_named_location

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

terraform should find the guid of the existing named location

Actual Behavior

terraform plan tries to install new named location in this form /identity/conditionalAccess/namedLocations/xxxxxx

Steps to Reproduce

go to azure ad provider 3.0.0 or 3.0.1, edit existing named location by adding new IP for example, run terraform plan

1. terraform apply

Important Factoids

References

• 0000

[bubbletroubles]

Some more info (I'm having the same problem). @manicminer is this related to #1497 ?

Terraform Plan when using the AzureAD 3.x provider detects changes

 # azuread_conditional_access_policy.policy-name-here will be updated in-place
  ~ resource "azuread_conditional_access_policy" "policy-name-here" {
        id           = "/identity/conditionalAccess/policies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
        # (3 unchanged attributes hidden)

      ~ conditions {
            # (4 unchanged attributes hidden)

          ~ locations {
              ~ excluded_locations = [
                  - "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
                  + "/identity/conditionalAccess/namedLocations/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
                ]
                # (1 unchanged attribute hidden)
            }

            # (4 unchanged blocks hidden)
        }

        # (1 unchanged block hidden)
    }

The Terraform Apply outputs

Error: Could not update conditional access policy with ID: "/identity/conditionalAccess/policies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
│ 
│   with azuread_conditional_access_policy.policy-name-here,
│   on file-name.tf line 11, in resource "azuread_conditional_access_policy" "policy-name-here":
│   11: resource "azuread_conditional_access_policy" "policy-name-here" {
│ 
│ unexpected status 400 (400 Bad Request) with error: BadRequest: 1040:
│ NamedLocation with id
│ /identity/conditionalAccess/namedLocations/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
│ does not exist in the directory.

[enorlando]

We are also having this issue

  # azuread_conditional_access_policy.xx will be updated in-place
  ~ resource "azuread_conditional_access_policy" "xx" {
        id           = "/identity/conditionalAccess/policies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx""
        # (3 unchanged attributes hidden)

      ~ conditions {
            # (4 unchanged attributes hidden)

          ~ locations {
              ~ excluded_locations = [
                  ~ "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"" -> "/identity/conditionalAccess/namedLocations/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
                ]
                # (1 unchanged attribute hidden)
            }

            # (3 unchanged blocks hidden)
        }

        # (1 unchanged block hidden)
    }

[manicminer]

Thanks for the report - presuming that the UUIDs match, I'll see if I can put in some diff suppression for that.

[bubbletroubles]

Yes, the UUIDs match.

[mirone85]

is there a feedback

[enorlando]

@manicminer any update on when this will get resolved?

[mirone85]

is there a feedback, when this will be resolved

[mirone85]

any update when this will be resolved?